Hi! I'm using the redbook "Security on z/VM" to try to use RACF as authorize logon to z/Linux.
Now following the redbook carefully, I'm stock in "Chapter 3 z/VM LDAP server" bullet 12 "Verify LDAPADM2 is able to use native authentication:" I've added user linux2 to RACF: rac adduser linux2 pass(TEST123) Ready; T=0.01/0.01 16:38:24 Here's the command, that will not work: ldapsrch -h 192.168.235.245 -D "cn=linux2,o=ibm" -w "TEST123/ITSO7471" -s base - b "o=ibm objectclass=*" ldapsrch -h 192.168.235.245 -D cn=linux2,o=ibm -w TEST123/ITSO7471 -s base -b o= ibm objectclass=* ldap_sasl_bind_s: Credentials are not valid ldap_sasl_bind_s: additional info: R004062 Credentials are not valid (ldbm_authe nticate_user) Ready; T=0.01/0.02 16:38:33 Which credentials are not valid? How should I preceed? Here's the settings in the DS CONF-file: LDAPSRV2: LDAPSRV2: Server Configuration LDAPSRV2: adminDN: cn=ldapadm2 LDAPSRV2: adminPW: *configured* LDAPSRV2: allowAnonymousBinds: on LDAPSRV2: armName: GLDSRVR LDAPSRV2: audit 1: off LDAPSRV2: commThreads: 10 LDAPSRV2: db2Terminate: recover LDAPSRV2: dnCacheSize: 1000 LDAPSRV2: idleConnectionTimeout: 0 LDAPSRV2: listen 1: ldap://:389 LDAPSRV2: logfile: /etc/ldap/gldlog.output LDAPSRV2: maxConnections: 65535 LDAPSRV2: pcIdleConnectionTimeout: 0 LDAPSRV2: pcThreads: 10 LDAPSRV2: schemaPath: /var/ldap/schema LDAPSRV2: schemaReplaceByValue: on LDAPSRV2: securityLabel: off LDAPSRV2: sendV3StringsOverV2As: UTF-8 LDAPSRV2: serverEtherAddr: 40209402E01C LDAPSRV2: serverSysplexGroup: undefined LDAPSRV2: sizeLimit: 500 LDAPSRV2: srvStartUpError: terminate LDAPSRV2: supportKrb5: off LDAPSRV2: tcpTerminate: recover LDAPSRV2: timeLimit: 3600 LDAPSRV2: validateIncomingV2Strings: on LDAPSRV2: LDAPSRV2: database LDBM GLDBLD31 LDBM-0001 LDAPSRV2: changeLoggingParticipant: on LDAPSRV2: commitCheckpointEntries: 10000 LDAPSRV2: commitCheckpointTOD: 00:00 LDAPSRV2: databaseDirectory: /var/ldap/ldbm LDAPSRV2: extendedGroupSearching: off LDAPSRV2: fileTerminate: recover LDAPSRV2: filterCacheBypassLimit: 100 LDAPSRV2: filterCacheSize: 5000 LDAPSRV2: krbIdentityMap: off LDAPSRV2: multiServer: off LDAPSRV2: nativeAuthSubtree 1: O=IBM LDAPSRV2: nativeUpdateAllowed: on LDAPSRV2: persistentSearch: off LDAPSRV2: pwEncryption: none LDAPSRV2: pwCryptCompat: on LDAPSRV2: readOnly: off LDAPSRV2: secretEncryption: none LDAPSRV2: sizeLimit: 500 LDAPSRV2: suffix 1: o=ibm LDAPSRV2: timeLimit: 3600 LDAPSRV2: useNativeAuth: all LDAPSRV2: 080226 15:32:49.696369 GLD1074W Maximum client connections changed from 65535 to 65523 LDAPSRV2: 080226 15:32:49.698101 GLD1004I LDAP server is ready for requests. LDAPSRV2: 080226 15:32:49.708738 GLD1059I Listening for requests on 192.168.235.245 port 389. LDAPSRV2: 080226 15:32:49.709781 GLD1059I Listening for requests on 127.0.0.1 port 389. This change seem to work though: ldapsrch -h 192.168.235.245 -D cn=ldapadm2,o=ibm -w PASS/ITSO7471 -s base -b o=ibm objectclass=* o=ibm objectclass=top objectclass=organization o=ibm Ready; T=0.01/0.02 17:09:49 This will not: ldapsrch -h 192.168.235.245 -D cn=linux2,o=ibm -w TEST123/ITSO7471 -s base -b o=ibm objectclass=* ldap_sasl_bind_s: Credentials are not valid ldap_sasl_bind_s: additional info: R004062 Credentials are not valid (ldbm_authe nticate_user) Trying to activate this LDAP to a Linux-machine seems to work, but I can not logon as the linux2 user: Excerpt from the /var/log/messages: Feb 26 16:53:08 cs2lx25 sshd[11416]: Invalid user linux2 from 172.24.19.104 Feb 26 16:53:11 cs2lx25 sshd[11418]: pam_ldap: ldap_search_s No such object Feb 26 16:53:11 cs2lx25 sshd[11416]: error: PAM: User not known to the underlying authentication module for illegal user linux2 from 172.24.19.104 Feb 26 16:53:11 cs2lx25 sshd[11416]: Failed keyboard-interactive/pam for invalid user linux2 from 172.24.19.104 port 3247 ssh2 The Yast LDAP Browser looks like this: LDAP Browser O=IBM O=IBM ou=Groups cn=LDAP Administrator cn=ldapadm2 ou=Home Town Any hints? Med Vänlig Hälsning / Best Regards Bertil Starck Handelsbanken CDTI-O tel: +46 8 701 22 51 e-mail: [EMAIL PROTECTED] ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
